Menu
▾
▴
Re: start_tls and Net::LDAPS
|
From: Chris R. <chr...@ma...> - 2002-10-08 16:14:02
|
On 8/10/02 3:40 pm, Bing Du <du...@mo...> wrote: > Now that Net::LDAPS works, does that mean our directory server supports > SSL but not necessarily supports TLS? > > From my understanding after reading the description of Net::LDAPS: > > "... > Note that the use of LDAPS is not recommended, because it is > not described by any IETF documents. Instead, you should > consider using LDAPv3 with the TLS extension defined in RFC > 2830. This will give you the same functionality as LDAPS, > but using recognized standards. See the start_tls entry in > the Net::LDAP manpage. ..." > > Start_tls should at least do what Net::LDAPS can do. Please correct me if > I'm wrong. Thanks. At the protocol level, they're rather different. StartTLS is an LDAPv3 extended operation that servers must explicitly support. Because you can issue StartTLS at an arbitrary point in your connection to the server, it isn't the same as making an SSL connection to a given port. Now one thing I noticed from your original snippet is: my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect"; my $mesg = $ldcon->bind(dn => $dn,password => $pw); $mesg = $ldcon->start_tls(); print "start_tls: ",$mesg->error,"\n"; It is unusual to do the bind in the clear, and then turn on TLS afterwards. That might be what you wanted, but normally you'd turn on TLS before issuing any bind. That would be more similar to just making an LDAPS connection, though incurring the extra overhead of the extended operation and result. The second oddity is that you're not waiting for the bind to succeed. Try checking for that before you call start_tls. Maybe there's an issue with there being outstanding results on the socket when we try switching it, so waiting for the bind result should address that. Cheers, Chris |
